Monday, 29 December 2014

Precisely
a decade ago, just as staff at the mobile telecoms were getting ready to vacate
their offices for the New Years holidays, a request was delivered from the
Foreign and Commonwealth Office. I was one of those who received the request.

An
earthquake off the coast of Sumatra had, a few days earlier, sent a tutsamni
surging across the Indian Ocean, killing more than a quarter of a million
people, and rendering hundreds of thousands homeless. It caused horrific
devastation across more than a dozen countries.

British
Airways had very generously laid on a plane to evacuate British citizens, free
of charge, from one of the hardest hit areas. But how could the Brits be
advised that this flight had been arranged and was due to depart in the next 18
hours? Could the major mobile providers send a text message to its customers who
were likely to be in that area? And could they send the text message as quickly as possible –
preferably within a few hours, to give victims sufficient time to catch the
flight?

Yes
they could. And yes, they did. (Or at least, yes, they certainly tried to send
the messages). No mobile operator declined on the grounds that the sending of
such messages was unlawful, as they weren’t permitted by the Privacy and Electronic
Communications (EC Directive) Regulations 2003, which placed restrictions on
the ways that traffic data could be used to send messages to users.

Bugger
the legal restrictions. What was more important was offering practical
assistance to people who were victims of a regional calamity.

Shortly
afterwards, and bearing in mind the practical lessons which were learnt from
that incident, the FCO embarked on a series of discussions with the mobile
operators about creating a more formal process for sending emergency messages
to customers.

The
FCO-sponsored discussions continued at what can only be described as a glacial
pace. Eventually, the issue was handed to the Cabinet Office.

A
couple of weeks ago, the Cabinet Office was finally able to announce the result of
these discussions.After a decade of
deliberations, a consultation document has been published, proposing minor tweaks to
the Privacy and Electronic Communications (EC Directive) Regulations 2003, to
set up a more robust public alert system.

The
deadline for commenting on the proposals is 26th January.

I
don’t expect that many people will bother responding to this consultation
exercise. If I were to respond, I would ask why it has taken a decade for this
matter to be addressed. When an issue like this emerges, it should not take the
relevant stakeholders -including the public officials - so long to react. After
all, when issues relating to the retention of communications data arose earlier
this year, threatening the destruction of records that were potentially of
considerable value to the law enforcement and intelligence community, emergency
legislation was rushed through Parliament in days.

The
third sentence of the consultation document’s Executive Summary is misleading.
It is not fair to state that “in 2010 the Government committed to evaluate
options for an improved public alert system in the UK” if readers are left with
the impression that credit for the proposal should rest with the Coalition
Government. This is just PR spin. It would have been much more accurate to state
that since 2005, all Governments have dithered over how the system for sending
alert messages to the public should be improved.

To use a more media-friendly phrase, they've dithered for a decade.

The
main problem with initiatives like this is not in legitimizing them – but in
executing them. Serious emergencies do not occur very frequently. So how will
the Gold Commanders (the senior police figures who direct the emergency
response teams) remember what process should be used to invoke the alert
messages? How will the operational network management staff within the telecoms
control rooms know that a genuine request is on its way? And how will the
target recipients be sent the messages within the proposed 15 minutes? All this
will require a lot of training, and regular exercising, to ensure that what
ought to happen in theory actually does happen in practice.

Knowing
how good the EE operational network management staff are at dealing with
incidents, I’m pretty confident that my phone will receive an emergency message
if I’m unfortunate enough to be in the affected area at the relevant time.
Whether I’ll read it in good time is another matter.

Saturday, 27 December 2014

I’ve been squinting into the future –
and now I’m ready to face the forthcoming year with renewed vigour.

The
good news, in terms of data protection standards, is that not much is likely to
change in 2015. So we should carry on trying to apply the rules we already know
about. Officials from the EU member states will continue to meet to consider
how the current standards ought to be modified. They will be placed under
increasing pressure from politicians who are keen to be seen to be raising data
protection standards across the globe-
but whether citizens will actually feel better protected this time next year as
a result of all this pressure is highly unlikely.

Communications
Data

Petty
criminals will flourish as law enforcement investigators working with local
authorities (the sort that investigate dodgy dealers, con men, environmental
health breaches, trading standards officials – you know the sort) will be
starved of the resources that are required to obtain legal orders forcing
communication service providers to supply the evidence that is so useful in
securing convictions. Local politicians will increasing explain that they don’t
have the funds to pay for the data requests to be approved by local magistrates,
and as its only low level crime, the national media won’t bother drawing
attention to the problem.

Connected
Cars

Regulators
will realise, only far too late, that new EU rules on mandating electronic
communication devices in cars have placed users under a new level of
surveillance. Although primarily designed for use in locating a car after an
accident, its “always on” facility provides amazing opportunities for data
controllers that have other purposes in mind.

Cybersecurity

Consumers
will reduce their expectations about the extent to which their data is safe
when online. The media will continue to report on large-scale cyber security
incidents, increasingly committed by state actors for political and national
security reasons. Regulators will be increasingly drawn onto prolonged disputes
about the extent to which data controllers are reliable for security breaches
that result from attacks by professional criminals and (state-sponsored)
hackers.

Data
Retention

Data
retention requirements will feature in 2015 – but with a twist. This
time, regulators will press for data to be retained for longer periods, in
order that the actions of suspected offenders can be reviewed long after their
deeds were committed, while the more slippery data controllers will press for
data to be deleted ever faster, to prevent evidence about said organisations
being potentially available to prosecutors in the event that past behaviours
need to be reviewed.

Drones

Despite
continuing to drone on about drones, guidance about “safe droning”, issued in
the UK by the Surveillance Camera Commissioner, the Information Commissioner,
the Civil Aviation Authority and a myriad of other bodies will be blissfully
ignored by many thousands of happy droners, most of whom will be entirely
unaware of the laws they will continue to break.

Employment
Opportunities

HR
Departments will continue to see data protection as an issue that requires a
lawyer on board, rather than a hands-on data protection practitioner. The focus
will continue to be mainly on “what does the current law, or a possible new
law, mean for the organisation?” It ought to be “what do regulators expect an organisation to do to ensure that procedures
are in place that implement the current, and possibly any future requirements,
within the organisation?”

Fortress
EU

EU
citizens will continue to take advantage of innovative and compelling services
from data controllers whose vision and ambition outstrips those who advocate
the constraints of protectionism afforded by the administrators of a would-be
EU super state.

Privacy

People’s
expectations of what personal privacy means will continue to be shaped by the
extent to which they wish to engage online. Privacy will increasing become a
luxury, a privilege that will be paid for through the use of subscription-only
services. The overwhelming majority of citizens will be increasingly aware of
the value exchange that occurs when they consume “free stuff” – and they will remain
very happy to share “their” information for the “free” stuff.

Privacy
Advocates

Will
continue to flourish, but towards the margins of the debate. Colourful
individuals will be courted by the media, and good stories will emerge that
entertain and occasionally inform the public, whose insatiable thirst for news
will momentarily focus on the odd data incident. But public attention will soon
move on to other stories.

The
Surveillance Society

Despite
the cry of frustration from law enforcement officials whose job has been made
much harder by the wholly predictable (and necessary) need for communications
service providers to provide better layers of encryption and security, the
overwhelming majority of citizens will accept that public surveillance is a
necessary way of life in the democratic part of the developed world.

The
greater integrity that democratically elected politicians (and regulators)
have, the greater will be the public acceptance that surveillance will be used
for benign purposes. My crystal ball was, unfortunately, unable to tell me
whether the integrity of democratically elected politicians (or regulators) was
likely to climb or drop in 2015.

Thursday, 18 December 2014

At the beginning of the week, I received an email from an organisation I
had never heard of. Somehow, my CV had ended up in their hands. I had recently sent
it to a couple of recruitment agencies, and one of them had evidently passed it to
a “partner company.” It read:

Dear Martin

Having reviewed your CV, our Senior Consultant has asked me to contact
you as he would like to meet up to talk through your current situation and
career objective. We specialise in helping mid to senior level individuals
across all sectors secure their next role.

He would be keen to meet in our London office this week if
possible.

Please phone me on 0113
205 2860 or e-mail me to arrange a mutually convenient time to meet.

I look forward to hearing from you.

Best Regards

Alex Smith

Sounds good?

I thought so – and accordingly I spent an hour yesterday with a
gentleman in London’s Cavendish Square who gave me a business card containing the
details of Geoff Russell, Director, Apollo, Tel: 0113 252 2282.

We spent a pleasant hour together. I chatted about my career history,
while Geoff explained that it would be useful for us to meet for a 2-hour
session in the New Year to more carefully review my career options. Both sessions
would be free of charge. But next time, he would explain how what Apollo’s
deliverables would be, and how much it would cost if I were to join their
programme.

During the conversation, Geoff explained that his company was in the
“career management” business - a concept pioneered in the US by Bernard
Haldane.

In a nutshell, the proposition is that Apollo would help by providing advice
and enabling me to meet relevant corporate decision makers (rather than the
usual HR folk) in order that I can secure the job that is right for me – for a
fee.

(I don’t think that Geoff read the bit of my CV which stated that I am
already a Non-Executive Director of a recruitment firm, and am therefore pretty
well placed to meet relevant corporate decision makers. However, we’ll let that
minor detail pass, for the moment.)

Geoff presents himself as an extremely credible executive, who has
worked for a variety of organisations over the years. He reassured me that
there are jobs that might well suit my interests, whatever they are. That came
as a relief – particularly as I hadn’t told him what my interests were, yet.

Returning home, alarm bells began to ring. Just how did Apollo get hold
of my CV? Why was there no Apollo nameplate on the front door at the Cavendish
Square office? Ok, it was a shared office building. That might be the reason.
But why was there no Apollo sign in the 4th floor reception area, where Geoff apparently worked three days each week? In fact, why
was there no “Apollo” branding anywhere?

So, I started to do a little more research into Apollo and Geoff.

Apollo has an impressive website. Virtually every week, yet another note of appreciation from a satisfied client is posted. This is a very successful track record. But why didn’t Geoff appear to
have a presence on LinkedIn? And why was he not willing to explain, during this
initial meeting, precisely what Apollo’s fees might be?

Why didn’t Apollo appear to have registered its activities with the ICO?
I couldn’t find the relevant entry on the ICO’s register of data controllers. Perhaps I didn't look hard enough.

Also, why were there so many worrying comments on the “whocallsme” chat
forum in relation to Apollo’s phone number(s)? The comments in relation to 0113 252 3070, a number registered to
a sister (or perhaps the same) company, also refer to Geoff Russell as a
senior consultant, and indicate that complaints have been made to the ICO
regarding potential breaches of the PECR regulations (sending unsolicited
emails).

Finally, why did my searches for “Bernard Haldane” result in this
unsettling article? Geoff’s sales pitch (together with the invitation to
undertake a psychological test before our next meeting) was remarkably similar
to Bernard’s career management approach.

The clincher was the chilling effect of the notice that Google had
placed under all its search listings: “Some results may have been removed under
data protection law in Europe.”

So, what else might I not know about Apollo?

I couldn’t find anything on Google’s .com site that was not already on
the .uk site. But I was sufficiently spooked to check, just to be on the safe
side.

The trouble is that, after all this research, I simply don’t have a
sufficient level of assurance about Apollo’s business practices. Despite the concerns I’ve unearthed, they might
indeed be a perfectly sound organisation.

Fortunately, every cloud has a silver lining. The afternoon was not
wasted. Apollo’s offices in central London are right next door to the John Lewis department store. So
even though I don’t plan to meet Geoff again, at least I was able to do some Xmas
shopping.

Update 23 March 2015Apollo's Operations Director has written to me today, asking that I
print the following paragraph - which of course I am happy to do:

“I am the Operations Director of Apollo and would like to
say that if anyone reading these comments would like to ask any questions about
our company or the career management services we provide please call me on 0113
2052851 or email me at a.greenley@Apollo.eu.com.

We are a customer focused, ISO accredited career management
company which has been operating and supporting our clients since 1997.”

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.